- Mythbuster busts his own tale
- 10 open source companies to watch
- Sony recalls 73,000 Vaio laptops
- Tool to evade China's Web censorship
- Chrome and Firefox and add-ons
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Joanna Rutkowska, the renowned rootkit researcher at Invisible Things Lab based in Poland, has ignited keen interest in virtualization-based malware with her creation called Blue Pill. Last year at the Black Hat conference she gave a presentation on Blue Pill, and at last week’s Black Hat 2007, she announced she is making the New Blue Pill, which, among other things, can run tens of Blue Pills inside each other, available for research purposes.
Taking up the challenge to try and detect stealthy rootkits, researchers from Symantec, Root Lab, and Matasano, which gave their own presentation at Black Hat entitled “Don’t Tell Joanna, the Virtualized Rootkit is Dead,” are aiming to prove they can detect Blue Pill and any other virtualized rootkit with software they’ve collaborated on called Samsara. But no one is declaring victory yet in detecting Blue Pill. In the following essay, Rutkowska shares some observations about things not easily seen. -- Ellen Messmer
By Joanna Rutkowska, Invisible Things Lab
Since the Black Hat conference last year, when I presented the first hardware virtualization-based malware, code-named “Blue Pill,” the amazing debate has been going on. Several security researchers decided to prove that the virtualization malware threat is non-existent. Some went even as far as to announce that the “virtualized rootkit is dead. Interestingly, none of those researchers have presented any solution to be used for either virtualization malware prevention or detection.
First, it turned out that the “blue pill killers” confused virtualization detection with virtualization rootkits detection. Wait a second – but isn’t that the same thing, you might ask? After all, virtualization-based rootkits need to make use of virtualization, so by detecting (unexpected) virtualization we detect the virtualization-based malware as well, right? Well, not quite – it’s a bit like saying that every program that makes use of networking is a botnet agent, just because botnet agents need to use networking.
As hardware virtualization technology gets more and more widespread, many machines will be running with virtualization mode enabled, both servers and desktops, no matter whether “bluepilled” or not. In that case, blue pill-like malware will not need to take any special efforts to pretend that virtualization is not enabled, as it’s actually expected that virtualization is being used for some legitimate purposes. This means the rootkit code can be greatly simplified.

Gartner summarizes its view on Application Delivery Controllers, evaluates strengths and weaknesses...
Vulnerability Management For DummiesDownload this concise book "Vulnerability Management for Dummies," to learn about the simple steps...
The ROI and TCO Benefits of Data Deduplication for Data Protection in the EnterpriseThis paper examines and quantifies the costs and benefits of backup with deduplication storage as...

Life on the edge of your WAN has changed dramatically. With the need to deliver advanced services,...
PoE Plus: Impact on the PoE MarketThe standard for Power over Ethernet (PoE), IEEE Std. 802.3af(tm)-2003, advanced networking,...
Harnessing the power of communications to increase workplace performanceDue to the convergence of IT and telecommunications technologies, the business workplace has been...

We have so many holes punched in our firewalls today that many industry insiders question the value...
The self-managed networkWe aren't there yet, but advances in network and systems management tools are making it possible to...
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment